Infrastructure Access Should Be Enforced, Not Manually Edited.
Lockwave exists because managing SSH keys at scale is fundamentally broken - and we built the tool we wished existed.
The Problem
Every growing engineering team eventually faces the same challenge: SSH key sprawl. Keys get added to servers during onboarding, accumulate over months, and when someone leaves, nobody knows exactly which servers they can still access.
The standard approach - SSHing into each machine to manually edit authorized_keys - doesn't scale. It's slow, error-prone, and produces no audit trail. A single forgotten key on a single server creates a security exposure that can persist for months.
We built Lockwave to replace this manual process with cryptographic enforcement. Define the desired state centrally, let the daemon enforce it everywhere, and have a complete audit trail of every change.
Core Principles
Zero Inbound Ports
The daemon only makes outbound HTTPS requests. Your hosts never accept inbound connections from Lockwave. No attack surface expansion.
No Private Keys Stored
When we generate a key pair, the private key is displayed once and discarded. We only store public keys. Your secrets never leave your machine.
Immutable Audit Trail
Every action is logged - key generation, assignment, revocation, drift detection, break-glass. The log is append-only and cannot be modified.
The Company
Lockwave is built by Pixel & Process UG (haftungsbeschrankt), a software company based in Lubeck, Germany.
As a German company, GDPR compliance is not an afterthought - it is built into the architecture from day one. We process personal data (SSH key metadata, host IP addresses, audit events) on EU-based infrastructure hosted by Hetzner.
We believe infrastructure access tooling should be transparent, auditable, and operated within a clear legal jurisdiction. That is why we publish our privacy policy and terms of service in plain language.
Ready to Enforce Your Key Policy?
Start free. No credit card required. See how Lockwave works in under 5 minutes.